2 * PowerPC MMU, TLB and BAT emulation helpers for QEMU.
4 * Copyright (c) 2003-2007 Jocelyn Mayer
5 * Copyright (c) 2013 David Gibson, IBM Corporation
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
23 #include "sysemu/kvm.h"
25 #include "mmu-hash32.h"
30 # define LOG_MMU(...) qemu_log(__VA_ARGS__)
31 # define LOG_MMU_STATE(env) log_cpu_state((env), 0)
33 # define LOG_MMU(...) do { } while (0)
34 # define LOG_MMU_STATE(...) do { } while (0)
37 #define PTE_PTEM_MASK 0x7FFFFFBF
38 #define PTE_CHECK_MASK (TARGET_PAGE_MASK | 0x7B)
40 static int ppc_hash32_pp_check(int key, int pp, int nx)
44 /* Compute access rights */
67 access = PAGE_READ | PAGE_WRITE;
78 static int ppc_hash32_check_prot(int prot, int rw, int access_type)
82 if (access_type == ACCESS_CODE) {
83 if (prot & PAGE_EXEC) {
89 if (prot & PAGE_WRITE) {
95 if (prot & PAGE_READ) {
105 static inline int pte_is_valid_hash32(target_ulong pte0)
107 return pte0 & 0x80000000 ? 1 : 0;
110 static int pte_check_hash32(mmu_ctx_t *ctx, target_ulong pte0,
111 target_ulong pte1, int h, int rw, int type)
113 target_ulong ptem, mmask;
114 int access, ret, pteh, ptev, pp;
117 /* Check validity and table match */
118 ptev = pte_is_valid_hash32(pte0);
119 pteh = (pte0 >> 6) & 1;
120 if (ptev && h == pteh) {
121 /* Check vsid & api */
122 ptem = pte0 & PTE_PTEM_MASK;
123 mmask = PTE_CHECK_MASK;
124 pp = pte1 & 0x00000003;
125 if (ptem == ctx->ptem) {
126 if (ctx->raddr != (hwaddr)-1ULL) {
127 /* all matches should have equal RPN, WIMG & PP */
128 if ((ctx->raddr & mmask) != (pte1 & mmask)) {
129 qemu_log("Bad RPN/WIMG/PP\n");
133 /* Compute access rights */
134 access = ppc_hash32_pp_check(ctx->key, pp, ctx->nx);
135 /* Keep the matching PTE informations */
138 ret = ppc_hash32_check_prot(ctx->prot, rw, type);
141 LOG_MMU("PTE access granted !\n");
143 /* Access right violation */
144 LOG_MMU("PTE access rejected\n");
152 static int ppc_hash32_pte_update_flags(mmu_ctx_t *ctx, target_ulong *pte1p,
157 /* Update page flags */
158 if (!(*pte1p & 0x00000100)) {
159 /* Update accessed flag */
160 *pte1p |= 0x00000100;
163 if (!(*pte1p & 0x00000080)) {
164 if (rw == 1 && ret == 0) {
165 /* Update changed flag */
166 *pte1p |= 0x00000080;
169 /* Force page fault for first write access */
170 ctx->prot &= ~PAGE_WRITE;
177 hwaddr get_pteg_offset32(CPUPPCState *env, hwaddr hash)
179 return (hash * HASH_PTE_SIZE_32 * 8) & env->htab_mask;
182 /* PTE table lookup */
183 static int find_pte32(CPUPPCState *env, mmu_ctx_t *ctx, int h,
184 int rw, int type, int target_page_bits)
187 target_ulong pte0, pte1;
191 ret = -1; /* No entry found */
192 pteg_off = get_pteg_offset32(env, ctx->hash[h]);
193 for (i = 0; i < 8; i++) {
194 if (env->external_htab) {
195 pte0 = ldl_p(env->external_htab + pteg_off + (i * 8));
196 pte1 = ldl_p(env->external_htab + pteg_off + (i * 8) + 4);
198 pte0 = ldl_phys(env->htab_base + pteg_off + (i * 8));
199 pte1 = ldl_phys(env->htab_base + pteg_off + (i * 8) + 4);
201 r = pte_check_hash32(ctx, pte0, pte1, h, rw, type);
202 LOG_MMU("Load pte from %08" HWADDR_PRIx " => " TARGET_FMT_lx " "
203 TARGET_FMT_lx " %d %d %d " TARGET_FMT_lx "\n",
204 pteg_off + (i * 8), pte0, pte1, (int)(pte0 >> 31), h,
205 (int)((pte0 >> 6) & 1), ctx->ptem);
208 /* PTE inconsistency */
211 /* Access violation */
221 /* XXX: we should go on looping to check all PTEs consistency
222 * but if we can speed-up the whole thing as the
223 * result would be undefined if PTEs are not consistent.
232 LOG_MMU("found PTE at addr %08" HWADDR_PRIx " prot=%01x ret=%d\n",
233 ctx->raddr, ctx->prot, ret);
234 /* Update page flags */
236 if (ppc_hash32_pte_update_flags(ctx, &pte1, ret, rw) == 1) {
237 if (env->external_htab) {
238 stl_p(env->external_htab + pteg_off + (good * 8) + 4,
241 stl_phys_notdirty(env->htab_base + pteg_off +
242 (good * 8) + 4, pte1);
247 /* We have a TLB that saves 4K pages, so let's
248 * split a huge page to 4k chunks */
249 if (target_page_bits != TARGET_PAGE_BITS) {
250 ctx->raddr |= (ctx->eaddr & ((1 << target_page_bits) - 1))
256 static int get_segment32(CPUPPCState *env, mmu_ctx_t *ctx,
257 target_ulong eaddr, int rw, int type)
261 int ds, pr, target_page_bits;
263 target_ulong sr, pgidx;
268 sr = env->sr[eaddr >> 28];
269 ctx->key = (((sr & 0x20000000) && (pr != 0)) ||
270 ((sr & 0x40000000) && (pr == 0))) ? 1 : 0;
271 ds = sr & 0x80000000 ? 1 : 0;
272 ctx->nx = sr & 0x10000000 ? 1 : 0;
273 vsid = sr & 0x00FFFFFF;
274 target_page_bits = TARGET_PAGE_BITS;
275 LOG_MMU("Check segment v=" TARGET_FMT_lx " %d " TARGET_FMT_lx " nip="
276 TARGET_FMT_lx " lr=" TARGET_FMT_lx
277 " ir=%d dr=%d pr=%d %d t=%d\n",
278 eaddr, (int)(eaddr >> 28), sr, env->nip, env->lr, (int)msr_ir,
279 (int)msr_dr, pr != 0 ? 1 : 0, rw, type);
280 pgidx = (eaddr & ~SEGMENT_MASK_256M) >> target_page_bits;
282 ctx->ptem = (vsid << 7) | (pgidx >> 10);
284 LOG_MMU("pte segment: key=%d ds %d nx %d vsid " TARGET_FMT_lx "\n",
285 ctx->key, ds, ctx->nx, vsid);
288 /* Check if instruction fetch is allowed, if needed */
289 if (type != ACCESS_CODE || ctx->nx == 0) {
290 /* Page address translation */
291 LOG_MMU("htab_base " TARGET_FMT_plx " htab_mask " TARGET_FMT_plx
292 " hash " TARGET_FMT_plx "\n",
293 env->htab_base, env->htab_mask, hash);
295 ctx->hash[1] = ~hash;
297 /* Initialize real address with an invalid value */
298 ctx->raddr = (hwaddr)-1ULL;
299 LOG_MMU("0 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
300 " vsid=" TARGET_FMT_lx " ptem=" TARGET_FMT_lx
301 " hash=" TARGET_FMT_plx "\n",
302 env->htab_base, env->htab_mask, vsid, ctx->ptem,
304 /* Primary table lookup */
305 ret = find_pte32(env, ctx, 0, rw, type, target_page_bits);
307 /* Secondary table lookup */
308 LOG_MMU("1 htab=" TARGET_FMT_plx "/" TARGET_FMT_plx
309 " vsid=" TARGET_FMT_lx " api=" TARGET_FMT_lx
310 " hash=" TARGET_FMT_plx "\n", env->htab_base,
311 env->htab_mask, vsid, ctx->ptem, ctx->hash[1]);
312 ret2 = find_pte32(env, ctx, 1, rw, type,
318 #if defined(DUMP_PAGE_TABLES)
319 if (qemu_log_enabled()) {
321 uint32_t a0, a1, a2, a3;
323 qemu_log("Page table: " TARGET_FMT_plx " len " TARGET_FMT_plx
324 "\n", sdr, mask + 0x80);
325 for (curaddr = sdr; curaddr < (sdr + mask + 0x80);
327 a0 = ldl_phys(curaddr);
328 a1 = ldl_phys(curaddr + 4);
329 a2 = ldl_phys(curaddr + 8);
330 a3 = ldl_phys(curaddr + 12);
331 if (a0 != 0 || a1 != 0 || a2 != 0 || a3 != 0) {
332 qemu_log(TARGET_FMT_plx ": %08x %08x %08x %08x\n",
333 curaddr, a0, a1, a2, a3);
339 LOG_MMU("No access allowed\n");
345 LOG_MMU("direct store...\n");
346 /* Direct-store segment : absolutely *BUGGY* for now */
348 /* Direct-store implies a 32-bit MMU.
349 * Check the Segment Register's bus unit ID (BUID).
351 sr = env->sr[eaddr >> 28];
352 if ((sr & 0x1FF00000) >> 20 == 0x07f) {
353 /* Memory-forced I/O controller interface access */
354 /* If T=1 and BUID=x'07F', the 601 performs a memory access
355 * to SR[28-31] LA[4-31], bypassing all protection mechanisms.
357 ctx->raddr = ((sr & 0xF) << 28) | (eaddr & 0x0FFFFFFF);
358 ctx->prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
364 /* Integer load/store : only access allowed */
367 /* No code fetch is allowed in direct-store areas */
370 /* Floating point load/store */
373 /* lwarx, ldarx or srwcx. */
376 /* dcba, dcbt, dcbtst, dcbf, dcbi, dcbst, dcbz, or icbi */
377 /* Should make the instruction do no-op.
378 * As it already do no-op, it's quite easy :-)
386 qemu_log("ERROR: instruction should not need "
387 "address translation\n");
390 if ((rw == 1 || ctx->key != 1) && (rw == 0 || ctx->key != 0)) {
402 static int ppc_hash32_get_physical_address(CPUPPCState *env, mmu_ctx_t *ctx,
403 target_ulong eaddr, int rw,
406 bool real_mode = (access_type == ACCESS_CODE && msr_ir == 0)
407 || (access_type != ACCESS_CODE && msr_dr == 0);
411 ctx->prot = PAGE_READ | PAGE_EXEC | PAGE_WRITE;
416 /* Try to find a BAT */
417 if (env->nb_BATs != 0) {
418 ret = get_bat(env, ctx, eaddr, rw, access_type);
421 /* We didn't match any BAT entry or don't have BATs */
422 ret = get_segment32(env, ctx, eaddr, rw, access_type);
428 hwaddr ppc_hash32_get_phys_page_debug(CPUPPCState *env, target_ulong addr)
432 if (unlikely(ppc_hash32_get_physical_address(env, &ctx, addr, 0, ACCESS_INT)
437 return ctx.raddr & TARGET_PAGE_MASK;
440 int ppc_hash32_handle_mmu_fault(CPUPPCState *env, target_ulong address, int rw,
450 access_type = ACCESS_CODE;
453 access_type = env->access_type;
455 ret = ppc_hash32_get_physical_address(env, &ctx, address, rw, access_type);
457 tlb_set_page(env, address & TARGET_PAGE_MASK,
458 ctx.raddr & TARGET_PAGE_MASK, ctx.prot,
459 mmu_idx, TARGET_PAGE_SIZE);
461 } else if (ret < 0) {
463 if (access_type == ACCESS_CODE) {
466 /* No matches in page tables or TLB */
467 env->exception_index = POWERPC_EXCP_ISI;
468 env->error_code = 0x40000000;
471 /* Access rights violation */
472 env->exception_index = POWERPC_EXCP_ISI;
473 env->error_code = 0x08000000;
476 /* No execute protection violation */
477 env->exception_index = POWERPC_EXCP_ISI;
478 env->error_code = 0x10000000;
481 /* Direct store exception */
482 /* No code fetch is allowed in direct-store areas */
483 env->exception_index = POWERPC_EXCP_ISI;
484 env->error_code = 0x10000000;
490 /* No matches in page tables or TLB */
491 env->exception_index = POWERPC_EXCP_DSI;
493 env->spr[SPR_DAR] = address;
495 env->spr[SPR_DSISR] = 0x42000000;
497 env->spr[SPR_DSISR] = 0x40000000;
501 /* Access rights violation */
502 env->exception_index = POWERPC_EXCP_DSI;
504 env->spr[SPR_DAR] = address;
506 env->spr[SPR_DSISR] = 0x0A000000;
508 env->spr[SPR_DSISR] = 0x08000000;
512 /* Direct store exception */
513 switch (access_type) {
515 /* Floating point load/store */
516 env->exception_index = POWERPC_EXCP_ALIGN;
517 env->error_code = POWERPC_EXCP_ALIGN_FP;
518 env->spr[SPR_DAR] = address;
521 /* lwarx, ldarx or stwcx. */
522 env->exception_index = POWERPC_EXCP_DSI;
524 env->spr[SPR_DAR] = address;
526 env->spr[SPR_DSISR] = 0x06000000;
528 env->spr[SPR_DSISR] = 0x04000000;
533 env->exception_index = POWERPC_EXCP_DSI;
535 env->spr[SPR_DAR] = address;
537 env->spr[SPR_DSISR] = 0x06100000;
539 env->spr[SPR_DSISR] = 0x04100000;
543 printf("DSI: invalid exception (%d)\n", ret);
544 env->exception_index = POWERPC_EXCP_PROGRAM;
546 POWERPC_EXCP_INVAL | POWERPC_EXCP_INVAL_INVAL;
547 env->spr[SPR_DAR] = address;
554 printf("%s: set exception to %d %02x\n", __func__,
555 env->exception, env->error_code);
projects / qemu.git / blob